0

I have uploaded my ReactJS SPA to Blob storage and I have enabled static website hosting.

Now I have this Primary endpoint url: https://myapp1.z11.web.core.windows.net/ and I can view the website with it.

However, in order for my website to be accessible by customers, I must do "Enabled from all networks" in the "Public network access" section of networking configurations.

What does it mean to make it public? Does it mean the files stored in the container are all available for downloading from the public internet? Or does it only mean that the static website is accessible from the public?

Is this a bad practice to make it public? What are the risks?

I have tried to put Azure FrontDoor in front of the Blob Storage static website. However, here are the problems:

  1. I still need to enable Public network access for all networks in the blob storage, to allow the frontdoor to access the website.

  2. If I wish to keep the Blob private instead of public, It is recommended to use private link with FrontDoor Premium. However the Premium is too expensive and it is absolutely ruled out.

Azure should provide a simple way to make Blob storage hosting a static website private, and allow traffic only from a standard / classic FrontDoor instance. AWS provides such features with their CloudFront and S3 bucket, they are really handy.

FrontDoor provides protections against XSS and DDoS, which Blob storage static website does not provide.

Kid_Learning_C
  • 2,605
  • 4
  • 39
  • 71
  • 2
    Do you have any private files in the container? If not, then there shouldn't be any issues. Note that you only need to grant public read access to blobs, _not_ containers (so HTTP requests for any particular blob are allowed, but visitors won't be able to _enumerate_ blobs). – Dai Jul 17 '23 at 12:33
  • You might find this link helpful: https://learn.microsoft.com/en-us/azure/static-web-apps/front-door-manual?tabs=azure-portal&pivots=swa-afd-manual-afd – Narthring Jul 17 '23 at 15:35

1 Answers1

0

Created blob storage enabled static website to have a Primary endpoint URL: https://XXXXX.z13.web.core.windows.net/ that I can view the website with it.

enter image description here

While enabling Public network access means that your website is accessible from the public internet. It doesn't mean that the files in the container can be downloaded directly through the Blob storage URL from the public internet. The content can be accessed and retrieved by anyone.

enter image description here

Making your website public as various risks, unauthorized access It could be risky, if the container contains private or any sensitive information you don't want to access anyone else.

In Azure Front Door does provide additional benefits as DDoS attacks If you want to keep the Blob private you should use private link with Front Door Premium only. In your case Premium is too expensive you can make use of other services like azure CDN Content Delivery Network or Application gateway.

Alternatively, you can use selected networks option under the public network access:

enter image description here

Create a network access rule to whitelist the virtual networks and IP addresses that are allowed to access your static website hosted in Blob storage:

enter image description here

enter image description here

This way, only users or services within the specified networks or with the designated IP addresses would be able to access the website. you can check similar issue of So thread by Kartik Bhiwapurkar

References:

Azure on the Cheap - Azure Storage Static Website and Azure Front Door by jeffrey chilberto

Running an Azure Storage Static Site, protected by Azure Front Door -Azure Readiness Starts Here

Imran
  • 3,875
  • 2
  • 3
  • 12